Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-day Exploit in PDF With Adobe Reader

Posted by CowboyNeal on from the be-on-alert dept.

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

4 of 188 comments (clear)

  1. Details Sorely Lacking by SkiifGeek · · Score: 4, Interesting

    Yeah, the article is lacking in details, which is unfortunate. Here is a nice little summary of not only the article, but also the speculation and arguments that have formed around the claims on a number of mailing lists.

    --
    InfoSec that matters, when it counts.
  2. As an asside: by T-Ranger · · Score: 3, Interesting

    Does anyone here think that embedding Acrobat into a browser is a good idea? Ignoring the plethora of stupid people who use PDF when HTML would work better, even.

  3. Enough! by Valtor · · Score: 2, Interesting

    I am convinced that we will not escape sandboxing every process in the not too distant future. Enough is enough, I don't think we will ever feel secure about any software any time soon.

    --
    "Sockets are the standard networking API, also useful for stopping your eyes from falling onto your cheeks" zeromq.org
  4. Re:xpdf etc by thrawn_aj · · Score: 2, Interesting

    I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc.

    People have different definitions of "bloat". Mine is when you have to clutter up your system with more than one application to d the same job. Besides, I'm of the opinion that it's alright to use the incredibly fast and high-RAM computers of today to run these application without being stingy about resources for every single thing (unless it actually does slow down your system). While I've pitied the users who have 16 things in their system tray that eat up resources (Acrobat does this too btw, with its quick load helper service), it is also true that today's systems are built for multi-tasking in a way that is frequently not taken full advantage of, especially by power users who pride themselves on choosing efficient programs (which is great!) and getting rid of bloat (while at the same time having several different programs that have overlapping functions).

    I also like how given ONE zero-day sploit from acrobat reader and we have the usual gurus predicting doom and calling on corporations to switch to xpdf (if it wasn't so ridiculous as to be funny, I'd be concerned :P) and "why do we need pdf forms anyway when you can have html forms?".